movehat 0.2.1 → 0.2.3

package/src/fork/server.ts

@@ -1,6 +1,20 @@
 import http from 'http';
 import { URL } from 'url';
 import { ForkManager } from './manager.js';
+import { logger } from '../ui/index.js';
+
+export interface ForkServerOptions {
+  /**
+   * Origins allowed to make cross-origin requests. When unset (default),
+   * no `Access-Control-Allow-Origin` header is emitted — any browser
+   * cross-origin read is rejected by the user agent. Setting this to a
+   * non-empty list opts into echoing matching `Origin` request headers
+   * back. Wildcard `'*'` is intentionally NOT supported: cached fork
+   * state may include resources that should not be readable by every
+   * page in the dev's browser.
+   */
+  corsAllowOrigins?: readonly string[];
+}
 
 /**
  * Fork Server - Serves fork data via Movement L1 RPC API
@@ -11,16 +25,38 @@ export class ForkServer {
   private forkManager: ForkManager;
   private port: number;
   private host: string;
+  private readonly corsAllowOrigins: ReadonlySet<string>;
 
   /**
    * @param host Interface to bind. Defaults to `127.0.0.1` so cached fork
    *   state (which may include sensitive resources) is not exposed on the LAN.
    *   Pass `'0.0.0.0'` only if you intentionally need to expose the server.
+   * @param options Optional CORS allowlist (see {@link ForkServerOptions}).
    */
-  constructor(forkPath: string, port: number = 8080, host: string = '127.0.0.1') {
+  constructor(
+    forkPath: string,
+    port: number = 8080,
+    host: string = '127.0.0.1',
+    options: ForkServerOptions = {}
+  ) {
     this.forkManager = new ForkManager(forkPath);
     this.port = port;
     this.host = host;
+    this.corsAllowOrigins = new Set(options.corsAllowOrigins ?? []);
+  }
+
+  /**
+   * Set CORS headers for a request when the request's `Origin` is in
+   * the allowlist. No-op otherwise.
+   */
+  private applyCors(req: http.IncomingMessage, res: http.ServerResponse): void {
+    const origin = req.headers.origin;
+    if (typeof origin === 'string' && this.corsAllowOrigins.has(origin)) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+      res.setHeader('Vary', 'Origin');
+      res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+      res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    }
   }
 
   /**
@@ -31,23 +67,21 @@ export class ForkServer {
     this.forkManager.load();
     const metadata = this.forkManager.getMetadata();
 
-    console.log(`\nStarting Fork Server...`);
-    console.log(`  Network: ${metadata.network}`);
-    console.log(`  Chain ID: ${metadata.chainId}`);
-    console.log(`  Ledger Version: ${metadata.ledgerVersion}`);
-    console.log(`  Forked at: ${metadata.createdAt}`);
+    logger.newline();
+    logger.phase("Fork Server");
+    logger.kv("Network", metadata.network, 2);
+    logger.kv("Chain ID", String(metadata.chainId), 2);
+    logger.kv("Ledger Version", String(metadata.ledgerVersion), 2);
+    logger.kv("Forked at", metadata.createdAt, 2);
 
     this.server = http.createServer((req, res) => {
       this.handleRequest(req, res).catch((error) => {
         // Log full error server-side for diagnostics
-        console.error(`Error handling request:`, error);
+        logger.error(`Error handling request: ${error instanceof Error ? error.message : String(error)}`);
 
         // Only send response if headers haven't been sent yet
         if (!res.headersSent) {
-          // Add CORS headers (same as in handleRequest)
-          res.setHeader('Access-Control-Allow-Origin', '*');
-          res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-          res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+          this.applyCors(req, res);
 
           // Send generic error response (no internal details exposed)
           this.sendJSON(res, 500, {
@@ -92,13 +126,15 @@ export class ForkServer {
             : isIpv6
               ? `[${this.host}]`
               : this.host;
-        console.log(`\nFork Server listening on http://${displayHost}:${this.port}`);
-        console.log(`  Bound interface: ${this.host}`);
-        console.log(`  Ledger Info: http://${displayHost}:${this.port}/v1/`);
+        logger.newline();
+        logger.success(`Fork Server listening on http://${displayHost}:${this.port}`);
+        logger.kv("Bound interface", this.host, 2);
+        logger.kv("Ledger Info", `http://${displayHost}:${this.port}/v1/`, 2);
         if (this.host === '0.0.0.0') {
-          console.warn(`  Server is bound to 0.0.0.0 — fork state is reachable from the LAN.`);
+          logger.warning("Server is bound to 0.0.0.0 — fork state is reachable from the LAN.", 2);
         }
-        console.log(`\nPress Ctrl+C to stop`);
+        logger.newline();
+        logger.info("Press Ctrl+C to stop");
         resolve();
       });
     });
@@ -111,7 +147,8 @@ export class ForkServer {
     return new Promise((resolve) => {
       if (this.server) {
         this.server.close(() => {
-          console.log('\nFork Server stopped');
+          logger.newline();
+          logger.success("Fork Server stopped");
           resolve();
         });
       } else {
@@ -140,13 +177,11 @@ export class ForkServer {
     const url = new URL(req.url || '/', `http://localhost:${this.port}`);
     const pathname = url.pathname;
 
-    // Log request
-    console.log(`[${new Date().toISOString()}] ${req.method} ${pathname}`);
+    // Log request — plain so the fork-server access log retains its
+    // grep-friendly line shape (timestamp + method + path, no symbol).
+    logger.plain(`[${new Date().toISOString()}] ${req.method} ${pathname}`);
 
-    // CORS headers
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    this.applyCors(req, res);
 
     // Handle OPTIONS for CORS preflight
     if (req.method === 'OPTIONS') {
@@ -187,7 +222,7 @@ export class ForkServer {
       }
     } catch (error) {
       // Log full error server-side for diagnostics
-      console.error('Error handling request:', error);
+      logger.error(`Error handling request: ${error instanceof Error ? error.message : String(error)}`);
 
       // Send generic error to client (don't expose internal details)
       this.sendError(res, 500, 'Internal server error');

package/src/fork/test.ts

@@ -2,6 +2,7 @@ import { join } from 'path';
 import { existsSync } from 'fs';
 import { runCli } from '../utils/runCli.js';
 import type { ChildProcessAdapter } from '../utils/childProcessAdapter.js';
+import { logger } from '../ui/index.js';
 
 export interface SnapshotOptions {
   path?: string;
@@ -40,7 +41,7 @@ export async function snapshot(options: SnapshotOptions = {}): Promise<string> {
   const name = options.name || `snapshot-${Date.now()}`;
   const snapshotPath = options.path || join(process.cwd(), '.movehat', 'snapshots', name);
 
-  console.log(`📸 Creating snapshot: ${name}...`);
+  logger.info(`Creating snapshot: ${name}...`);
 
   try {
     // Initialize fork/snapshot using aptos CLI.
@@ -68,7 +69,7 @@ export async function snapshot(options: SnapshotOptions = {}): Promise<string> {
       throw new Error('Snapshot directory was not created');
     }
 
-    console.log(`   ✓ Snapshot created at ${snapshotPath}`);
+    logger.success(`Snapshot created at ${snapshotPath}`, 2);
     return snapshotPath;
   } catch (error) {
     const msg = error instanceof Error ? error.message : String(error);

package/src/harness/Harness.ts

@@ -92,19 +92,28 @@ export class Harness {
    * and `runMoveScript` throw with a message pointing at `createLocal`.
    * `runViewFunction` works (read-only path).
    *
-   * @param network - Network to fork (e.g. `"testnet"`).
+   * @param network - Network to fork. Built-ins: `"testnet"`, `"mainnet"`.
+   *   Any other name requires `rpcUrl`.
    * @param apiKey - Optional Movement API key. When set, every upstream
    *   request from the fork's `MovementApiClient` carries
    *   `Authorization: Bearer <apiKey>`. Use for rate-limited public
    *   endpoints or auth-gated nodes. The key stays in process memory
    *   (not persisted to the fork's on-disk metadata).
+   * @param rpcUrl - Required when forking a non-built-in network.
+   *   Ignored when a fork already exists on disk (the saved metadata's
+   *   nodeUrl is reused).
    */
-  static async createFork(network: string, apiKey?: string): Promise<Harness> {
+  static async createFork(
+    network: string,
+    apiKey?: string,
+    rpcUrl?: string
+  ): Promise<Harness> {
     const setupOpts: import("../types/config.js").LocalTestOptions = {
       mode: "fork",
       forkNetwork: network,
     };
     if (apiKey !== undefined) setupOpts.forkApiKey = apiKey;
+    if (rpcUrl !== undefined) setupOpts.forkRpcUrl = rpcUrl;
     const ctx = await setupLocalTesting(setupOpts);
     const init: HarnessInit = {
       mode: "fork",

package/src/harness/codeObject.ts

@@ -1,6 +1,4 @@
-import { homedir } from "os";
-import { join } from "path";
-import { randomUUID } from "crypto";
+import { PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
 import type { MovehatRuntime } from "../types/runtime.js";
 import type {
   DeployCodeObjectOptions,
@@ -14,7 +12,7 @@ import {
   validateSafeName,
   type DeploymentInfo,
 } from "../core/deployments.js";
-import { validatePathSafety, validateProfileSafety } from "../core/shell.js";
+import { validatePathSafety } from "../core/shell.js";
 import {
   CliExecutionError,
   ModuleAlreadyDeployedError,
@@ -22,12 +20,11 @@ import {
 } from "../errors.js";
 import { runCli } from "../utils/runCli.js";
 import { parseTxHash } from "../utils/parseCliOutput.js";
-import { logger } from "../ui/index.js";
+import { logger, isVerbose } from "../ui/index.js";
 import {
-  withYamlLock,
-  addProfile,
-  removeProfile,
-  removeProfileSync,
+  writeTempKeyFile,
+  removeKeyFile,
+  removeKeyFileSyncBestEffort,
   ensureSignalHandler,
   cleanupCallbacks,
 } from "../core/movementProfile.js";
@@ -170,9 +167,7 @@ async function executeMovementMoveObject(
   }
 
   const dir = opts.packageDir || config.moveDir;
-  const profile = `movehat-deploy-${randomUUID().slice(0, 8)}`;
   const safeDir = validatePathSafety(dir, "package directory");
-  const safeProfile = validateProfileSafety(profile);
 
   logger.step(
     `${subcommand === "deploy-object" ? "Deploying" : "Upgrading"} module "${moduleName}" from ${dir}...`
@@ -211,32 +206,30 @@ async function executeMovementMoveObject(
       },
       { adapter: opts.adapter }
     );
-    if (buildResult.stdout) console.log(buildResult.stdout.trim());
+    if (isVerbose() && buildResult.stdout) logger.info(buildResult.stdout.trim(), 2);
 
-    // Strip `ed25519-priv-` prefix if present — Movement CLI expects the
-    // raw hex.
-    let cleanPrivateKey = config.privateKey;
-    if (cleanPrivateKey.startsWith("ed25519-priv-")) {
-      cleanPrivateKey = cleanPrivateKey.replace("ed25519-priv-", "");
-    }
+    // Format the private key into AIP-80 shape so the Movement CLI
+    // doesn't emit its raw-hex deprecation warning. `formatPrivateKey`
+    // is idempotent for already-prefixed inputs.
+    const formattedPrivateKey = PrivateKey.formatPrivateKey(
+      config.privateKey,
+      PrivateKeyVariants.Ed25519,
+    );
 
-    const movementConfigPath = join(homedir(), ".aptos", "config.yaml");
+    // Pass the private key via a 0o600 temp file (--private-key-file)
+    // and the on-chain address via --sender-account. This avoids the
+    // CLI's profile-yaml lookup entirely — no CWD / HOME / .aptos /
+    // .movement dance, no CLI-variant dependency.
+    const keyFilePath = writeTempKeyFile(formattedPrivateKey);
 
-    // Register SIGINT-safe sync cleanup BEFORE writing the key (same
-    // pattern as Publisher — closes bug #36).
+    // Register SIGINT-safe sync cleanup BEFORE invoking the CLI so
+    // the private key never persists on disk after an abnormal exit.
+    // The signal-handler path uses the best-effort variant because the
+    // event loop is dead and we cannot logger.warning.
     ensureSignalHandler();
-    const syncCleanup = () => removeProfileSync(movementConfigPath, profile);
+    const syncCleanup = () => removeKeyFileSyncBestEffort(keyFilePath);
     cleanupCallbacks.add(syncCleanup);
 
-    await withYamlLock(() =>
-      addProfile(movementConfigPath, profile, {
-        private_key: cleanPrivateKey,
-        public_key: account.publicKey.toString(),
-        account: deployerAddress,
-        rest_url: config.rpc,
-      })
-    );
-
     let deployOut = "";
     try {
       logger.step(
@@ -258,8 +251,10 @@ async function executeMovementMoveObject(
             safeDir,
             "--url",
             config.rpc,
-            "--profile",
-            safeProfile,
+            "--private-key-file",
+            keyFilePath,
+            "--sender-account",
+            deployerAddress,
             "--assume-yes",
             ...includedArtifacts,
             ...namedAddrArgs,
@@ -270,21 +265,23 @@ async function executeMovementMoveObject(
         { adapter: opts.adapter }
       );
       deployOut = result.stdout;
-      if (result.stdout) console.log(result.stdout.trim());
-      if (result.stderr) console.error(result.stderr.trim());
+      // Both streams gated behind isVerbose(); see §9 — stream channel
+      // is not by itself a failure signal. Real failures throw via
+      // CliExecutionError and are surfaced from the catch below.
+      if (isVerbose() && result.stdout) logger.info(result.stdout.trim(), 2);
+      if (isVerbose() && result.stderr) logger.info(result.stderr.trim(), 2);
     } finally {
-      // Best-effort profile removal. CRITICAL: catch + log instead of
-      // re-throwing — an await-in-finally that throws would clobber the
-      // try block's success/error (the bug-#37 lesson from Publisher).
-      await withYamlLock(() => removeProfile(movementConfigPath, profile)).catch(
-        (err) => {
-          const cleanupMsg = err instanceof Error ? err.message : String(err);
-          logger.warning(
-            `Failed to remove deploy profile "${profile}" from ${movementConfigPath}: ${cleanupMsg}. ` +
-              `Run 'movement config delete-profile --profile ${profile}' to clean up manually.`
-          );
-        }
-      );
+      // Unlink via the observable helper — emit a warning if the file
+      // could not be removed AND still exists on disk (private key
+      // would persist silently otherwise). ENOENT and races are
+      // treated as benign success.
+      const cleanupErr = removeKeyFile(keyFilePath);
+      if (cleanupErr) {
+        logger.warning(
+          `Failed to remove temp key file '${keyFilePath}': ${cleanupErr.message}. ` +
+            `The file has mode 0o600 but should be removed manually: rm ${keyFilePath}`
+        );
+      }
       cleanupCallbacks.delete(syncCleanup);
     }
 
@@ -342,7 +339,7 @@ async function executeMovementMoveObject(
       throw error;
     }
     if (error instanceof CliExecutionError) {
-      if (error.stdoutPreview) console.log(error.stdoutPreview);
+      if (error.stdoutPreview) logger.info(error.stdoutPreview, 2);
       logger.error(
         `Failed to ${subcommand === "deploy-object" ? "deploy" : "upgrade"} module: ${error.message}\n${error.stderr}`
       );

package/src/harness/script.ts

@@ -1,22 +1,20 @@
 import { existsSync } from "fs";
-import { homedir } from "os";
-import { extname, join } from "path";
-import { randomUUID } from "crypto";
+import { extname } from "path";
+import { PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
 import type { MovehatRuntime } from "../types/runtime.js";
 import type {
   RunMoveScriptOptions,
   MoveScriptResult,
 } from "../types/harness.js";
-import { validatePathSafety, validateProfileSafety } from "../core/shell.js";
+import { validatePathSafety } from "../core/shell.js";
 import { CliExecutionError } from "../errors.js";
 import { runCli } from "../utils/runCli.js";
 import { parseTxHash } from "../utils/parseCliOutput.js";
-import { logger } from "../ui/index.js";
+import { logger, isVerbose } from "../ui/index.js";
 import {
-  withYamlLock,
-  addProfile,
-  removeProfile,
-  removeProfileSync,
+  writeTempKeyFile,
+  removeKeyFile,
+  removeKeyFileSyncBestEffort,
   ensureSignalHandler,
   cleanupCallbacks,
 } from "../core/movementProfile.js";
@@ -29,9 +27,9 @@ import {
  *   - `.mv` compiled bytecode → `--compiled-script-path`
  *
  * Reuses Publisher's security model via the shared `movementProfile`
- * helpers: per-deploy unique profile, atomic 0o600 yaml writes under
- * the mutex, SIGINT-safe sync cleanup, `--profile` auth (key never
- * appears in `ps` output).
+ * helpers: per-invocation temp key file (0o600), SIGINT-safe sync
+ * cleanup, `--private-key-file` auth (key never appears in `ps`
+ * output or in the user's `~/.aptos/config.yaml`).
  *
  * Returns {@link MoveScriptResult}. `txHash` is guaranteed; `success`
  * and `vmStatus` are best-effort parsed from the CLI's Result JSON.
@@ -70,8 +68,6 @@ export async function runMoveScript(
   }
 
   const safeScriptPath = validatePathSafety(options.scriptPath, "script path");
-  const profile = `movehat-script-${randomUUID().slice(0, 8)}`;
-  const safeProfile = validateProfileSafety(profile);
 
   logger.step(
     `Running Move script '${options.scriptPath}' on ${config.network}...`
@@ -80,26 +76,28 @@ export async function runMoveScript(
   try {
     const deployerAddress = account.accountAddress.toString();
 
-    let cleanPrivateKey = config.privateKey;
-    if (cleanPrivateKey.startsWith("ed25519-priv-")) {
-      cleanPrivateKey = cleanPrivateKey.replace("ed25519-priv-", "");
-    }
+    // Format the private key into AIP-80 shape before writing to the
+    // temp key file. `formatPrivateKey` is idempotent for already-
+    // prefixed inputs.
+    const formattedPrivateKey = PrivateKey.formatPrivateKey(
+      config.privateKey,
+      PrivateKeyVariants.Ed25519,
+    );
 
-    const movementConfigPath = join(homedir(), ".aptos", "config.yaml");
+    // Pass the private key via a 0o600 temp file (--private-key-file)
+    // and the on-chain address via --sender-account. Avoids the CLI's
+    // profile-yaml lookup chain entirely (no CWD / HOME / .aptos /
+    // .movement dance, no CLI-variant dependency).
+    const keyFilePath = writeTempKeyFile(formattedPrivateKey);
 
+    // SIGINT-safe sync cleanup BEFORE the CLI call so the private key
+    // never persists on disk after an abnormal exit. The signal-handler
+    // path uses the best-effort variant because the event loop is dead
+    // and we cannot logger.warning.
     ensureSignalHandler();
-    const syncCleanup = () => removeProfileSync(movementConfigPath, profile);
+    const syncCleanup = () => removeKeyFileSyncBestEffort(keyFilePath);
     cleanupCallbacks.add(syncCleanup);
 
-    await withYamlLock(() =>
-      addProfile(movementConfigPath, profile, {
-        private_key: cleanPrivateKey,
-        public_key: account.publicKey.toString(),
-        account: deployerAddress,
-        rest_url: config.rpc,
-      })
-    );
-
     let scriptOut = "";
     try {
       const typeArgsFragment: string[] =
@@ -117,8 +115,10 @@ export async function runMoveScript(
           args: [
             "move",
             "run-script",
-            "--profile",
-            safeProfile,
+            "--private-key-file",
+            keyFilePath,
+            "--sender-account",
+            deployerAddress,
             "--url",
             config.rpc,
             "--assume-yes",
@@ -132,18 +132,22 @@ export async function runMoveScript(
         { adapter: options.adapter }
       );
       scriptOut = result.stdout;
-      if (result.stdout) console.log(result.stdout.trim());
-      if (result.stderr) console.error(result.stderr.trim());
+      // Both streams gated behind isVerbose(); Movement CLI uses
+      // stderr for progress messages too. Real failures throw via
+      // CliExecutionError and are surfaced from the catch below.
+      if (isVerbose() && result.stdout) logger.info(result.stdout.trim(), 2);
+      if (isVerbose() && result.stderr) logger.info(result.stderr.trim(), 2);
     } finally {
-      await withYamlLock(() => removeProfile(movementConfigPath, profile)).catch(
-        (err) => {
-          const cleanupMsg = err instanceof Error ? err.message : String(err);
-          logger.warning(
-            `Failed to remove script profile "${profile}" from ${movementConfigPath}: ${cleanupMsg}. ` +
-              `Run 'movement config delete-profile --profile ${profile}' to clean up manually.`
-          );
-        }
-      );
+      // Observable cleanup — emit a warning if the unlink failed and
+      // the file is still on disk (private key would persist silently
+      // otherwise).
+      const cleanupErr = removeKeyFile(keyFilePath);
+      if (cleanupErr) {
+        logger.warning(
+          `Failed to remove temp key file '${keyFilePath}': ${cleanupErr.message}. ` +
+            `The file has mode 0o600 but should be removed manually: rm ${keyFilePath}`
+        );
+      }
       cleanupCallbacks.delete(syncCleanup);
     }
 
@@ -166,7 +170,7 @@ export async function runMoveScript(
     return out;
   } catch (error) {
     if (error instanceof CliExecutionError) {
-      if (error.stdoutPreview) console.log(error.stdoutPreview);
+      if (error.stdoutPreview) logger.info(error.stdoutPreview, 2);
       logger.error(`Failed to run Move script: ${error.message}\n${error.stderr}`);
     } else {
       const err = error instanceof Error ? error : new Error(String(error));